Grant Privileges (Controlling SYSADM)

Philip Sevetson

Grant Privileges (Controlling SYSADM)

August 23, 2017 07:14 AM

**please note my email address change**
That has been my experience where I have worked, yes. The list of
people who have the SYSADM authorization must be extremely
restricted, both by amount of experience – it’s not
something you want to give to someone if they aren’t very
experienced with the DBMS – and by duties.

· A security administrator can use the security tool to
connect individuals to those groups/authIDs based on work needs,
and not actually have DB2 privileges. (Most security administrators
don’t understand DB2, again in my experience.)

· DBAs do the GRANT privileges to new table for those
groups, and new GRANTs to existing tables

· A Production Implementation / Configuration Management
person/team does the static BINDs, and has all necessary table
SEL/INS/UPD/DEL privileges to accomplish that. This person may be,
but usually is not, a DBA.

Individuals doing analytic work need additional ability to save
data:

· CREATE TABLE privileges are given out to individuals,
within a personal database/tablespace, for people who need to do
operations like SAVE DATA (QMF).

· DASD Monitor - Someone has to monitor space used by those
databases, and raise flags for data which is kept a long time or
takes a lot of space.

· RLF - The Resource Limitation Facility should be set to
stringently limit the size of any units of work (queries or writes)
which analysts do in production. Otherwise, a badly written query
in an OLTP or HTAP environment can drastically slow production
and/or hold locks which prevent production work. In a serious
enough case, a badly performing update can paralyze production.

According to your clarification i can understand that most shops
that applies separation of duty , they limit SYSADM authority to
one or two authid and also still SYSADM can Grant privileges

-----End Original Message-----
**This e-mail, including any attachments, may be confidential,
privileged, or otherwise legally protected. It is intended only for
the addressee. If you received this e-mail in error or from someone
who was not authorized to send it to you, do not disseminate, copy,
or otherwise use this e-mail or its attachments. Please notify the
sender immediately by reply e-mail and delete the e-mail from your
system.**